Amazon says a client company’s ‘misconfiguration’ of its privacy settings is responsible for more than 54,000 New South Wales driver’s licences becoming publicly accessible.
A security consultant stumbled across the information stored on cloud, prompting an investigation by Cyber Security NSW.
Amazon said it was co-operating in the investigation but had not disclosed the identity of the company other than to say it was a ‘business entity’ that had collected the licence scans as part of its operations.
‘Amazon Web Services (AWS) currently won’t disclose the name of the entity, but have confirmed it is a commercial entity,’ a Cyber Security NSW spokesman said.
‘Cyber Security NSW’s investigation has focused on working with other organisations to try to identify the owner of the AWS bucket to ensure that the commercial entity is aware of its responsibilities to report and remediate any breach.’
More than 54,000 pictures of NSW driver’s licences were found on an Amazon server last week. Cyber Security NSW said ‘Amazon Web Services currently won’t disclose the name of the entity’ on Thursday (pictured: An Amazon office in Romania)
Cyber Security NSW chief officer Tony Chapman said the company needs to be held accountable for the data breach.
‘There are mandatory reporting requirements under the Office of the Australian Information Commissioner that the commercial entity needs adhere to,’ he said.
Amazon said the responsibility laid with the client company, which may have inadvertently changed its access level.
‘AWS operated as designed and is secure by default. AWS customers own and fully control their data,’ he said.
‘We offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content.’
Mr Chapman stressed that NSW Government agencies did not provide or source the license information, but rather that it was solely gathered by the unidentified company.
While there had been calls for the NSW government to look at which licenses were exposed, the chief cyber security officer said that was up to the private company.
Unless that is done, people will not know if they are among the license holders whose information has been publicly accessible and may have been accessed already.
‘We do not know how long this commercial entity had this data open for and we do not know whether anybody other than the security researcher quoted in media coverage has accessed the information.’
A redacted picture of Edward’s driver’s licence on his mother’s table top was included in an article about 54,000 licences leaked online on Tuesday. Edward was ‘sickened’ to discover his personal details were leaked
A Sydney health worker, called Edward, only realised his licence has been leaked when he read a news article about the data breach on Tuesday.
A redacted picture of Edward’s licence on his mother’s table top was featured in the breaking news story, including his former inner west postcode.
‘I remembered having dinner on that table just two nights ago. The licence featured in the article matched my old postcode and also happened to match the exact benchtop at my mum’s place,’ Edward told ABC News.
‘I put two and two together and realise it was probably my licence.’
Edward’s licence was found inside a digital folder of PDF and JPG files containing 108,535 scanned images of over 54,000 NSW licences.
A healthcare worker wearing PPE at a driver-through COVID site in Bondi. Edward, who is also a Sydney healthcare worker, said he recognised his postcode and mother’s tabletop in an article about the licence leak
Ukrainian security consultant Bob Diachenko discovered the folder, which contained phone numbers, addresses and birth dates, on an Amazon cloud storage service – which was completely available for public view.
Mr Diachenko stumbled upon the folder of driver’s licences as well as another folder containing Roads and Maritime Services toll notice statutory declarations.
He said the data leak was a ‘dangerous exposure,’ and said the files had most likely been seen by ‘malicious actors’ who could have made a copy of them already.
‘A malicious actor can impersonate somebody and apply for credit, or do something on behalf of that person,’ he said.
‘For example, you take one licence and connect the dots with one owner of this licence, with his or her emails exposed in another data breach and you’ve got more information on that person.’
The data was stored on an Amazon cloud storage service and contained phone numbers, addresses and birth dates – all of which were available for public view
Ukrainian security consultant Bob Diachenko stumbled upon the folder of PDF and JPG files containing 108,535 scanned images of more than 50,000 driver’s licences
IDcare security counsellor Christine Jackson said driver’s licence theft is ‘the golden ticket’ for scammers because they are often used to verify identities by Centrelink, phone companies and banks.
‘So often that will be telephone accounts, mobile phones are purchased, they might purchase iPads, tablets and things like that as well – so it can rack up to a lot of money,’ she told the ABC.
‘They’ll also apply for credit cards, personal loans and they’ll just keep going until your credit history is in a mess and they can’t go any further.
‘And then they’ll lay low for a while, wait for you to clean it up when you find out what’s gone on, and then they’ll reinvest in that compromised document.’
Ms Jackson said brazen criminals even steal licences from victims’ letterboxes after being sent to their homes from Roads and Maritime Services.
Scams reported to the ACCC involving identity theft or the loss of personal or banking information cost Australians at least $16 million last year.
Four in 10 Scamwatch reports in 2019 involved attempts to gain information or the actual loss of victims’ information.
Some of the ways scammers obtain personal or banking information are through direct requests for scans of driver’s licenses or passports, often in dating and romance scams.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes.
Fraudsters can empty victims’ bank accounts, take out thousands of dollars in bank loans under victims’ names, and even purchase furniture or electronics under ‘no-repayments for 12 months’ schemes (stock image)
Security researcher Troy Hunt believes the source of the leak could be a fleet or toll road operator.
‘The presence of toll notices [in the leak] is probably a bit of a clue and suggests it’s more likely that it’s a toll operator, or a fleet operator,’ he told Car Advice.
Mr Hunt said the nature of the breach would be ‘trivial’ for anyone with a solid amount of technological knowledge to uncover.
‘You don’t have to be at Bob’s level, but if you’re someone who likes to crawl around the internet looking for this stuff [it would be possible] – I’m concerned about someone who makes a concerted effort to find it,’ he said.
‘It was open to public view which was obviously the concerning thing and it’s unclear how long it was open for public view.’
The source of the uploaded files remains unknown, but it’s understood those affected by the breach are yet to be contacted.
Transport for NSW said in a statement they do not retain or collect tolling data and said it is working with Cyber Security NSW to investigate.